6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e

General

Target

6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e.exe
Size

336KB
MD5

9cf192286c184146ec556d879f6e0655
SHA1

f27ebdb2bb77ad292701bd9a2873143b5b5cf9c8
SHA256

6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e
SHA512

fd9caa2768b8199de85d04375b43f6afaec52019358ea489758077c16c86a159138fdaf128cab3bb4375679b1c6d4a70ffd279714eeb328312d8ab7f432405de
SSDEEP

6144:LY56LCD4nLgnjk/LBNnyRQz9f/VrhgdJoux:LYMG4LzbzF9lCJB

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1084	Yhrbio.exe
1732	360sb.exe

Deletes itself 1 IoCs

pid	Process
992	WScript.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\360sb.exe	Yhrbio.exe
File opened for modification	C:\Windows\360sb.exe	Yhrbio.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1840	6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e.exe
1084	Yhrbio.exe
1732	360sb.exe
1084	Yhrbio.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1732	360sb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 1084	1840	6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e.exe	27
PID 1840 wrote to memory of 1084	1840	6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e.exe	27
PID 1840 wrote to memory of 1084	1840	6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e.exe	27
PID 1840 wrote to memory of 1084	1840	6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e.exe	27
PID 1840 wrote to memory of 992	1840	6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e.exe	28
PID 1840 wrote to memory of 992	1840	6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e.exe	28
PID 1840 wrote to memory of 992	1840	6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e.exe	28
PID 1840 wrote to memory of 992	1840	6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e.exe	28
PID 1084 wrote to memory of 2032	1084	Yhrbio.exe	30
PID 1084 wrote to memory of 2032	1084	Yhrbio.exe	30
PID 1084 wrote to memory of 2032	1084	Yhrbio.exe	30
PID 1084 wrote to memory of 2032	1084	Yhrbio.exe	30

C:\Users\Admin\AppData\Local\Temp\6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e.exe
"C:\Users\Admin\AppData\Local\Temp\6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Yhrbio.exe
  "C:\Yhrbio.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\290.vbs"
    3⤵
    PID:2032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\9958.vbs"
  2⤵
  - Deletes itself
  PID:992

C:\Windows\360sb.exe
C:\Windows\360sb.exe
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\290.vbs

Filesize
500B

MD5
d4e2f4de2a16dfb0924956d03786e10a

SHA1
b953fa2bcf8796ffcb306f84165066f294c7a78c

SHA256
1501442aa88dfee6795ece983e4e7c4cc790464c33ef0ad9305ee288e532d970

SHA512
a88ebb2b9918262d965191ea9a092c12d894c4ce4d1f559b4096125a00c280e3a0a539f0c40b6ff81b6e9032f6815b1dc7a8109a29f49b6040d1f92eebd3a5be

Download Submit
C:\9958.vbs

Filesize
500B

MD5
5b79c24aba47fb72744e1f258e008c3c

SHA1
a8f705e39cc26e89ffce2e49a37f66baf4ccf306

SHA256
23b315d28e330de5c796ef7f492231feca6cb30877514ed65419ab1e48b5feae

SHA512
3516d993b1042175c456bc89ef59fa8ead7bbd1d562873c10bb4fe749d02589801cb1814f82f7879fe1046dbfc31ce8e2ea57ccedbd39034b21c6b16e65c9aec

Download Submit
C:\Windows\360sb.exe

Filesize
336KB

MD5
9cf192286c184146ec556d879f6e0655

SHA1
f27ebdb2bb77ad292701bd9a2873143b5b5cf9c8

SHA256
6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e

SHA512
fd9caa2768b8199de85d04375b43f6afaec52019358ea489758077c16c86a159138fdaf128cab3bb4375679b1c6d4a70ffd279714eeb328312d8ab7f432405de

Download Submit
C:\Yhrbio.exe

Filesize
336KB

MD5
9cf192286c184146ec556d879f6e0655

SHA1
f27ebdb2bb77ad292701bd9a2873143b5b5cf9c8

SHA256
6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e

SHA512
fd9caa2768b8199de85d04375b43f6afaec52019358ea489758077c16c86a159138fdaf128cab3bb4375679b1c6d4a70ffd279714eeb328312d8ab7f432405de

Download Submit
C:\Yhrbio.exe

Filesize
336KB

MD5
9cf192286c184146ec556d879f6e0655

SHA1
f27ebdb2bb77ad292701bd9a2873143b5b5cf9c8

SHA256
6b80cdcee4ce1b93b57a9c070cda2068620fef1ec2a8d3b4fd454fb98bcea30e

SHA512
fd9caa2768b8199de85d04375b43f6afaec52019358ea489758077c16c86a159138fdaf128cab3bb4375679b1c6d4a70ffd279714eeb328312d8ab7f432405de

Download Submit
memory/1840-54-0x0000000076401000-0x0000000076403000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing